Mobile phone fraud: 'They stole £22,500 using my banking app'

I’d love to know how they’re actually doing this.

I will admit I do store pins and stuff on my phone but it’s in the notes section of lastpass. Yes Lastpass, I know!

What are the rules here on speculating on ways of breaking the law, including the security measures of banks?

Monzo prohibit it so I have to be careful what I say there, and how much I go into these things. So before I answer your question as to how this could be done, how much detail am I allowed to get into on here? Enough that everyone will be capable of committing this crime, or just enough to remove any doubt that someone might be telling porkie pies?

I don’t run this place but really, will anyone go and commit this crime because of a post here? I really doubt it.

In the interests of debate and discussion, I have a strong preference to allow this discussion.

If someone’s really worried about it, wait a fortnight or two, and delete the discussion after it’s finished so it doesn’t live on google for years to come.

It shouldn’t be possible as far as I’m concerned so feel free.

That person who only does their banking on a windows PC with antivirus is having the last laugh at the moment!

Are they?

The “problem” with internet banking is that you can login from any device, not just yours. App-based banking requires registration procedures (and often only works on a single device) so theoretically app-only banks are most secure.

The reason I ask is because if I’m teaching folks how to commit fraud, the forum owner could potentially wind up getting into trouble for it, that’s why there’s quite often a rule against it.

I’m sure the good folks here won’t up and quit their day job to spend their day drinking coffee in Starbucks as you wait for your next victim to buy their afternoon double shot caramel macchiato. But someone on the internet could be trying to learn how to do this and come across my post and discover it, at that point, I’m responsible for another fraudster roaming the streets, which I don’t want.

I’ll keep it brief and vague-ish for now, and if @Graham or @Mathew want to clarify if it’s allowed or not and either remove my post or allow me to go more in depth, I’ll feel happier.

There are a few details omitted in the BBC article which are important for deducing exactly how this particular incident was pulled off, so when I explain how I’d do it I’ll be making some educated assumptions and guesses to other things that may have occurred in leading up to the resulting fraud.

My first assumption is fraud at that scale is going to be organised. It’s not going to be a random pickpocket acting in isolation who somehow thwarted pretty decent security practices. But it’s the act of the pickpocket that the victim is aware of.

In order to break into the user’s phone, then the banking app, and finally their card pin, they’re going to have to come by that information somehow. There’s a few ways of doing this:

• By pot luck a pickpocket could brute force it, or learn it through basic observation, but I’m doubtful given that the victim relies on Face ID.
• The same tools law enforcement use to break into iPhones are marketed towards and sold to criminals too, it’s equally plausible the threat actor may have had access to such a tool, but it wouldn’t explain the learning of the card pin.
• A third possibility is the installation of malware onto the victim’s phone. In organised fraud this is very likely, and the more widely used method by fraudsters, but, only usually for victims who use android. Such an attack is certainly possible on iOS too, but Apple make it much harder and do a better job of protecting their users from it, and as I understand it, this person uses an iPhone.
• another common method, which works equally well against iOS targets is good old fashioned social engineering. Done well enough and the victim might not even be aware it took place. This is the method I’d personally use for this sort of fraud, in this sort of situation given the assumption I’ve made above.
• you could also try to learn then through fingerprint patterns (yes, similar to how it’s done in the movies) but it leaves too much up to guesswork.

So how do you pull this off? Well here’s how I’d do it given my two assumptions above:

1. Set up a public Wi-Fi honeypot somewhere, like in a Starbucks, where you’re probably likely to catch more affluent targets. You’re likely going to hunting victims who bank with a certain bank over another, like Barclays. This is because you can quite easily trick folks into going to what looks like their bank, but is actually your little copy you set up for the purpose of harvesting passcodes and pins.
2. Once you’ve identified your target, you can get to work learning the passcodes. Have you ever wondered what the little custom phrase Barclays make you pick for your Lock Screen is for? It’s for exactly this scenario. If you’re on a public Wi-Fi network, which the threat actor controls, they can divert your requests to Barclays’ servers to their own which would look very similar. Here they could collect your app passcode and card PIN number.
3. Steal the phone at the right opportunity. Usually you’d want to do that when it’s left on the table unlocked, as opposed to taking it from their pocket. If you can’t steal it unlocked you’ll need to learn their device passcode or brute force it. A simple social engineering attack would get the job done, or you could try to trick this out of them when the join your hotspot.
4. Access their device and steal the money.

Again, this isn’t the only way to pull off fraud like this. I’ve made some assumptions out of the omitted details, and that’s just how I’d approach it on the basis of those assumptions. I won’t be going into any details here about how you can set up a honeypot and trick the information of these victims, but there are guides elsewhere online and it’s not terribly difficult to do.

The article has good advice on how to protect yourself from this sort of fraud. It’s quite generalise though and you should conduct your own threat model for yourself as opposed to just blindly following all of it, as most could be overkill for most. I’ve also made an assumption that they used public Wi-Fi at some point. This is because a lot of people do use public Wi-Fi, and their use of it makes attacks like these easier to pull off. Now they may not have used it, they haven’t said either way, and so the advice is missing from the article, but good grief, don’t be accessing your bank on public Wi-Fi! It might not be your bank!

I still have people say to me they won’t do banking on a phone.

I think some people see phones as toys and not serious operating systems. It’s a bit insulting to Google and Apple considering the amount of work they put into security

Yes, it’s come up in a lot of recent articles shared here around branch closures.

Things like: 96 year old Doreen has an iPad which she uses to FaceTime her grandchildren but refuses to use it for banking despite her local branch closing. “Now I’ll have to get two buses to get to the next branch”, says Doreen, “banking on the iPad - I’d never, there’s too much fraud”.

I’d recommend she get a Chromebook. It’s completely idiot-proof as well!

I presume this is like the gym locker theft one last year, didn’t we conclude the attack vector was gain access to OLB via ID (also stolen) and 2FA text message previews?

To be fair, she’s not exactly wrong. If you don’t trust yourself not to fall for the myriad of scams and phishing attacks out there, which the device won’t protect you from no matter how well engineered they are when it comes to security, she’s probably better off just sticking with the branch.

The mobile banking itself is perfectly safe if you just stick to the app and ignore everything else. But one scary email might be all it takes to catch Doreen off guard, and the door to that mobile banking world is now open. I can certainly see the appeal in leaving it closed. It just avoids the risk altogether.

I forgot to add that there would probably be an attitude of: “Why should I have to change, the bank are abandoning us; it’s a disgrace?” added in to that meaning that, even if security could be guaranteed (and, realistically, it can’t ever be 100%) the customer will still be reluctant to use digital channels. Some are even reluctant to use telephone banking.

It’s understandable, because if you fear phone scams then it’s better to simply not use it, in the same way as it’s better to not use digital channels if you are not confident with them.

Believing a particular brand of hardware or software makes one immune to fraud is foolish and dangerous.

I never said it would make anyone immune but Chrome OS is more secure than most other operating systems. It’s definitely more secure than windows. No one is ever going to be immune but I’d rather Doreen used a Chromebook for her online banking than windows. A lot of the ways people are defrauded are not possible on a Chromebook which at least reduces risk.

If it was up to me I’d advise people to do their banking on an app on their phone. It’s actually the safest way, ignoring these recent cases

It’s exactly as susceptible as any OS to the most common form of fraud involving online banking - which involves the fraudster taking remote control of the computer via AnyDesk or TeamViewer.

Yet not as susceptible to viruses, keyloggers and ransomware so more secure…

Plenty of other ways scammers target people that won’t work on Chrome OS but will work on windows.

I don’t do banking on a desktop OS but for someone like Doreen yes I’d recommend a Chromebook over windows.

Both things are true!

Yes, clearly security is a sliding scale and there is also at least a certain element of security through obscurity if you don’t use the most common desktop banking platform. iOS is for example, relatively-speaking, more secure than Android as developer access to the platform is limited and third party App Stores are still prohibited (for now, until the EU force Apple to allow them) so all apps should be vetted.

This doesn’t mean, though, that a major flaw couldn’t be uncovered which could be exploited by malicious actors. Again, you can trust Apple to patch that probably - but not instantly - whereas Android software support is more patchy and limited.

TeamViewer type scams are most prevalent and work on every desktop platform; they are also social-engineering based so red flags do not get raised. I’ve been critical of those falling for these scams in the past because it is against all messaging from banks - but vulnerable customers will not understand the messaging so are much more easily targeted and I do have sympathy for them. I can understand why they would want to “opt out” of accessing their account except in a branch, as a simple way to protect themselves against scams they don’t understand and wouldn’t be confident identifying. In the case of branch closures, I would also try to reassure them that the Post Office is safe. Telephone banking is also safe is you ensure that you only ever contact the bank directly via their published telephone number. If paranoid, clearing the line by dialling an innocuous number first and then hanging up is worth doing.

What you say might be true a decade ago but not convinced it’s a useful vector any more. A 2FA gateway minimises the viability of such an attack considerably, and every bank will have one now for unfamiliar devices/IPs.

Education is the answer, not promotion of particular devices as some kind of protection.

I suppose the issue is that the scammer can capture data like this, target a customer via a phone scam, and then use social engineering to “trick” them into authorising the 2FA on their side. This is more sophisticated than the classic TeamViewer scam so may catch out those who would recognise that as a scam. Especially if they are caught off-guard on the phone. Scammers do this by calling people when they are likely to be busy.

This is why 2FA doesn’t actually work half as well as it should - because it can still be defeated via social engineering.

Agreed!

Let’s not do that

I have no objection to people suggesting how to safeguard against fraud etc. At the end of the day, we all need to remain safe, secure and alert as new methods or techniques come into play.

But, let’s not speculate on how they do it, just more of the ways you can protect yourself against it.

There used to be a programme on BBC Three (back when it was good) called “The Real Hustle”, which showed you how con-artists pulled off the things they did. It was good for it’s time, but it showed how to walk out of a shop with a brand new TV without paying, for example. But, they showed and shared tips on how to protect yourself against it, too. This I would have no issue with.

Just stating how it’s done without any protection against it happening, I would say is the “no zone”

Keep it safe, and just think before posting - “Is this post going to enable anyone to try this and run a scam or commit fraud as a result?” If the answer is anything but “no”, don’t post it.